SQL Injection Vulnerability in msg_events.php Could Allow Unauthenticated Execution of System Commands
CVE-2024-28138

7.3HIGH

Key Information:

Vendor: Image Access Gmbh
Status: Scan2net
Vendor: CVE Published:; 10 December 2024

🔔 Create Image Access Gmbh Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2024-28138?

An unauthenticated attacker with network access can exploit the vulnerable 'msg_events.php' script in the ImageAccess web interface. Due to improper sanitization of the HTTP GET parameter 'data', the attacker can execute arbitrary system commands as the www-data user, leading to significant security risks. This vulnerability highlights the importance of securing web interfaces against injection attacks to protect sensitive data and system integrity.

Affected Version(s)

Scan2Net 0

References

https://r.sec-consult.com/imageaccess

third-party-advisory

https://www.imageaccess.de/?page=SupportPortal&lang=en

patch

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Nov 3, 2025
Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Mar 5, 2024

Credit

Daniel Hirschberger (SEC Consult Vulnerability Lab)

Tobias Niemann (SEC Consult Vulnerability Lab)

JSON